This version contains many new and changed features for those who are responsible for securing applications and the application serving environment.
This release of WebSphere Application Server enables you to use z/OS® System Authorization Facility (SAF) security to associate a SAF user ID with a distributed identity. When you use this feature, you can maintain the original identity information of a user for audit purposes and have less to configure in WebSphere Application Server.
The following settings for the CSIv2 transport layer exist: TCP/IP for a TCP/IP connection, SSL-supported for a TCP/IP or an SSL connection, and SSL-required for an SSL connection only. SSL-required is the new default in this release of WebSphere Application Server. Switching to SSL-required as the default setting ensures that all CSIv2 connections into and out of the server are using the secure SSL connection.
When the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property is set to true, the HttpOnly attribute is added to those security cookies (LTPA and WASReqURL cookies) that are created by the server. The HttpOnly attribute is a browser attribute created to prevent client side applications (such as Java scripts) from accessing cookies to prevent some cross-site scripting vulnerabilities. This attribute is now configurable in the administrative console. Prior to WebSphere Application Server Version 8.0, the com.ibm.ws.security.addHttpOnlyAttributeToCookies custom property default was false. For WebSphere Application Server Version 8.0, the default is now true for both the LTPA cookie and the Session Cookie.
For more information see the custom property com.ibm.ws.security.addHttpOnlyAttributeToCookies in the Security custom properties article.
Only authenticated users can access sessions created in secure pages. The session management facility uses the security infrastructure to determine the authenticated identity associated with a client HTTP request, and either retrieves or creates a session. For more information on session security, read the Session security support article.
Along with enabling session security integration, credential persistence is enabled as well. This allows login information to be available to unprotected web clients to enable additional access to user information. For more information on credential persistence, see the "Use available authentication data when an unprotected URI is accessed" feature in the web authentication settings article.
This release of WebSphere Application Server supports the JSR 196: Java Authentication SPI for Containers (JASPI, or sometimes called JASPIC) specification, which enables third-party security providers to handle the Java Platform, Enterprise Edition (Java EE) authentication of HTTP request and response messages destined for web applications. The JASPI specification extends the pluggable authentication concepts of the Java Authentication and Authorization Service (JAAS) to the authentication of HTTP request and response messages. When application security is enabled, and a protected web resource is accessed, the web container and the security runtime collaborate to make an authentication decision for the caller. When using a third-party JASPI provider, the authentication decision is delegated to that provider.
A significant enhancement is the new annotation support for servlets. A developer can declare the security constraints using annotations as an alternative to declaring them as part of the web.xml file, which is used prior to Java Servlet 3.0. The web.xml file continues to function and overrides any conflicts defined as annotations.
Use the importLTPAKeys command to import an LTPA key from a file and add it to the security runtime and configuration. The exportLTPAKeys command exports an LTPA key that is currently being used by the runtime to a file.
In WebSphere Application Server Version 7.0, the federated repositories user registry can only be configured at the global level and have only one instance per cell, but any domain can use it by configuring it as the active registry. In WebSphere Application Server Version 8.0, you can configure a unique instance of a federated repository at the domain level in a multiple security domain environment.
When a security domain is copied from the global level, the users and groups defined at the global level are also copied to the security domain. This is also true when copying from an existing domain. A newly-created security domain that uses the file-based VMM repository requires that the user populate the repository with users and groups.
Also new in this release of WebSphere Application Server, a new checkbox on the Realm configurations settings administrative console page, Use global schema for model, sets the global schema option for the data model in a multiple security domain environment. Global schema refers to the schema of the admin domain.
The security configuration report now includes information about session security, web Attributes, and the HttpOnly setting to enable you to get a more complete view of your server security settings.
The report is a table with four columns: Console Name, Security Configuration Name, Value and Console Path Name. The security information gathered is divided into sections, and groups common security information. A row highlighted in blue with a title in the first column starts a new section.
The Security Configuration Report can be run from the administrative console by selecting Security Configuration Report. A new window displays the report information.
and then clickingNew for this release, the default value of the com.ibm.CSI.propagateFirstCallerOnly security custom property is set to true. When this custom property is set to true, the first caller in the propagation token that stays on the thread is logged when security attribute propagation is enabled. When this property is set to false, all of the caller switches are logged, which can affect performance.
The Set security cookies as HTTPOnly to resist cross-site scripting attacks check box has been added to the Single sign-on settings page for this release. The HttpOnly attribute is a browser attribute created to prevent client side applications (such as Java scripts) from accessing cookies to prevent some cross-site scripting vulnerabilities. The attribute specifies that LTPA and WASReqURL cookies include the HTTPOnly field.
Web applications running in mid-tier WebSphere servers might need to propagate LtpaToken2 cookies on downstream web invocations. In this release of WebSphere Application Server, a new Application Programming Interface (API) is provided for application developers to programmatically perform downstream SSO without the need for an application to store and send user credentials.